Package: openssh Version: 1:4.3p2-4 Severity: wishlist Tags: patch Hello folks,
Sam and I, and I'm sure the security team as well, would love to get rid of the separate ssh-krb5 package for etch now that the GSSAPI patch has been incorporated into openssh. There are only a few small issues in the way of doing this: * openssh-client doesn't default to attempting GSSAPI authentication. There's no reason not to enable this by default; it is quietly skipped if the user has no Kerberos ticket cache or if the remote host doesn't advertise GSSAPI. Without this enabled, the upgrade from ssh-krb5 to openssh-client would silently break GSSAPI authentication for users. * openssh-server doesn't enable GSSAPI by default. This is a reasonable default and ideally should be a debconf prompt, but in the interim, installing ssh-krb5 needs to result in a GSSAPI-enabled server. We therefore need a transitional package that will do the right thing in the configuration. * ssh-krb5 in sarge supports the GSSAPINoMICAuthentication configuration option, which is no longer supported by the current GSSAPI code. This option should therefore be removed from the sshd_config if seen there. Attached is a lightly tested patch that takes care of all of these issues and adds an ssh-krb5 transitional package to the openssh package. I would very much like to get this into etch; I'm sorry that it's taken me so long to get around to writing it. Please let me know if you have any additional concerns. (BTW, I also noticed that the current openssh-client package does not include the -K patch to add a -K option that's the inverse of -k and turns on ticket delegation regardless of the config setting. I thought that this was part of the standard GSSAPI patch, but possibly not. Could you include this? This may also be necessary for this transition, and it's very useful.) -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.15-1-686 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
diff -ruN openssh-4.3p2-current/debian/control openssh-4.3p2/debian/control --- openssh-4.3p2-current/debian/control 2006-10-03 22:16:37.000000000 -0700 +++ openssh-4.3p2/debian/control 2006-10-03 23:07:05.000000000 -0700 @@ -9,8 +9,8 @@ Package: openssh-client Architecture: any Depends: ${shlibs:Depends}, ${debconf-depends}, adduser (>= 3.10), dpkg (>= 1.7.0), passwd -Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5 -Replaces: ssh (<< 1:3.8.1p1-9), ssh-krb5 +Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-5) +Replaces: ssh (<< 1:3.8.1p1-9), ssh-krb5 (<< 1:4.3p2-5) Suggests: ssh-askpass, xbase-clients Provides: rsh-client, ssh-client Description: Secure shell client, an rlogin/rsh/rcp replacement @@ -39,8 +39,8 @@ Priority: optional Architecture: any Depends: ${shlibs:Depends}, ${debconf-depends}, ${pam-depends}, libpam-modules (>= 0.72-9), adduser (>= 3.9), dpkg (>= 1.9.0), openssh-client (= ${Source-Version}) -Conflicts: ssh (<< 1:3.8.1p1-9), ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1), ssh-krb5 -Replaces: ssh (<< 1:3.8.1p1-9), openssh-client (<< 1:3.8.1p1-11), ssh-krb5 +Conflicts: ssh (<< 1:3.8.1p1-9), ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-5) +Replaces: ssh (<< 1:3.8.1p1-9), openssh-client (<< 1:3.8.1p1-11), ssh-krb5 (<< 1:4.3p2-5) Suggests: ssh-askpass, xbase-clients, rssh Provides: ssh-server Description: Secure shell server, an rshd replacement @@ -72,6 +72,16 @@ the OpenSSH server, which are now in separate packages. You may remove it once the upgrade is complete and nothing depends on it. +Package: ssh-krb5 +Priority: extra +Architecture: all +Depends: openssh-client, openssh-server +Description: Secure shell client and server (transitional package) + This is a transitional package depending on the regular Debian OpenSSH + client and server, which now support GSSAPI natively. It will add the + necessary GSSAPI options to the server configuration file. You can + remove it once the upgrade is complete and nothing depends on it. + Package: ssh-askpass-gnome Section: gnome Priority: optional diff -ruN openssh-4.3p2-current/debian/openssh-server.postinst openssh-4.3p2/debian/openssh-server.postinst --- openssh-4.3p2-current/debian/openssh-server.postinst 2006-10-03 22:16:37.000000000 -0700 +++ openssh-4.3p2/debian/openssh-server.postinst 2006-10-03 23:27:05.000000000 -0700 @@ -72,6 +72,17 @@ } +remove_obsolete_gssapi() { + grep -qi '^[ ]*GSSAPINoMICAuthentication' /etc/ssh/sshd_config \ + || return 0 + perl -pe 's/^(\s*GSSAPINoMICAuthentication)/\#$1/i' \ + < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new + chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new + chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new + mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config +} + + host_keys_required() { hostkeys="$(get_config_option HostKey)" if [ "$hostkeys" ]; then @@ -190,6 +201,9 @@ move_subsystem_sftp fi + # Remove obsolete GSSAPI options. + remove_obsolete_gssapi + return 0 fi fi diff -ruN openssh-4.3p2-current/debian/rules openssh-4.3p2/debian/rules --- openssh-4.3p2-current/debian/rules 2006-10-03 22:16:37.000000000 -0700 +++ openssh-4.3p2/debian/rules 2006-10-03 22:58:25.000000000 -0700 @@ -166,7 +166,7 @@ install -m 755 build-udeb/ssh-keygen debian/openssh-server-udeb/usr/bin/ssh-keygen # Build architecture-independent files here. -binary-indep: binary-ssh +binary-indep: binary-ssh binary-ssh-krb5 # Build architecture-dependent files here. binary-arch: binary-openssh-client binary-openssh-server @@ -244,6 +244,19 @@ dh_md5sums dh_builddeb +binary-ssh-krb5: DH_OPTIONS=-pssh-krb5 +binary-ssh-krb5: build install + dh_testdir + dh_testroot + dh_installdocs + dh_link + dh_compress + dh_fixperms + dh_installdeb + dh_gencontrol + dh_md5sums + dh_builddeb + binary-ssh-askpass-gnome: DH_OPTIONS=-pssh-askpass-gnome binary-ssh-askpass-gnome: build install dh_testdir @@ -292,5 +305,5 @@ .PHONY: build clean binary-indep binary-arch binary install .PHONY: build-deb build-udeb .PHONY: binary-openssh-client binary-openssh-server binary-ssh -.PHONY: binary-ssh-askpass-gnome +.PHONY: binary-ssh-krb5 binary-ssh-askpass-gnome .PHONY: binary-openssh-client-udeb binary-openssh-server-udeb diff -ruN openssh-4.3p2-current/debian/ssh-krb5.NEWS openssh-4.3p2/debian/ssh-krb5.NEWS --- openssh-4.3p2-current/debian/ssh-krb5.NEWS 1969-12-31 16:00:00.000000000 -0800 +++ openssh-4.3p2/debian/ssh-krb5.NEWS 2006-10-03 22:27:35.000000000 -0700 @@ -0,0 +1,18 @@ +ssh-krb5 (1:4.3p2-5) unstable; urgency=low + + The normal openssh-server and openssh-client packages in Debian now + include full GSSAPI support, including key exchange. This package is + now only a transitional package that depends on openssh-server and + openssh-client and configures openssh-server for GSSAPI configuration + if it wasn't already. + + You can now simply install openssh-server and openssh-client directly + and remove this package. Just make sure that /etc/ssh/sshd_config + contains: + + GSSAPIAuthentication yes + GSSAPIKeyExchange yes + + if you want to support GSSAPI authentication to your ssh server. + + -- Russ Allbery <[EMAIL PROTECTED]> Tue, 03 Oct 2006 22:27:27 -0700 diff -ruN openssh-4.3p2-current/debian/ssh-krb5.postinst openssh-4.3p2/debian/ssh-krb5.postinst --- openssh-4.3p2-current/debian/ssh-krb5.postinst 1969-12-31 16:00:00.000000000 -0800 +++ openssh-4.3p2/debian/ssh-krb5.postinst 2006-10-03 23:27:02.000000000 -0700 @@ -0,0 +1,37 @@ +#!/bin/sh + +set -e + +if [ "$1" = configure ] ; then + if grep -qi '^[ ]*GSSAPI' /etc/ssh/sshd_config ; then + : + else + if grep -qi '^#GSSAPI' /etc/ssh/sshd_config ; then + perl -pe 's/^\#(GSSAPI(Authentication|KeyExchange))\b/$1/i' \ + < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new + chown --reference /etc/ssh/sshd_config \ + /etc/ssh/sshd_config.dpkg-new + chmod --reference /etc/ssh/sshd_config \ + /etc/ssh/sshd_config.dpkg-new + mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config + else + cat >> /etc/ssh/sshd_config <<EOF + +# GSSAPI authentication +GSSAPIAuthentication yes +GSSAPIKeyExchange yes +EOF + fi + if [ -x /etc/init.d/ssh ] ; then + if [ -x /usr/sbin/invoke-rc.d ] ; then + invoke-rc.d ssh restart + else + /etc/init.d/ssh restart + fi + fi + fi +fi + +#DEBHELPER# + +exit 0 diff -ruN openssh-4.3p2-current/ssh_config openssh-4.3p2/ssh_config --- openssh-4.3p2-current/ssh_config 2006-10-03 22:16:37.000000000 -0700 +++ openssh-4.3p2/ssh_config 2006-10-03 22:30:14.000000000 -0700 @@ -43,3 +43,5 @@ # PermitLocalCommand no SendEnv LANG LC_* HashKnownHosts yes + GSSAPIAuthentication yes + GSSAPIDelegateCredentials no